COVID-19: remote delivery options
We would like to reassure our clients that all training and consultancy services will go ahead as scheduled during the current COVID-19 situation. As a company that fully embraces flexible and remote working, we are adjusting our delivery methods to allow us to provide consultancy services, penetration tests and training remotely where necessary. Please also refer to our COVID-19 policy.
What is an IT Health Check?
The Public Services Network (PSN) is the government’s high-performance network, which helps public-sector organisations work together. It enables commercial service providers to sell services where they can be accessed securely by public-sector organisations on the PSN.
An IT Health Check (ITHC) provides an independent assessment of your organisation’s cyber security.
It aims to provide assurance that your organisation’s external and internal systems are protected from unauthorised access or change, and they do not provide an unauthorised entry point into systems that consume PSN services.
The scope of an ITHC engagement will generally include:
- External/internal network and systems vulnerability assessment
- External/internal network and systems penetration testing
- Web application penetration testing
- Host configuration security review
- Database configuration security review
- Firewall configuration security review
Once identified, the vulnerabilities are presented in a report that provides clear, measurable results along with effective risk remediation solutions.
Did you know?
With the number of services, public sector organisations handle a large amount of personal and confidential information. Such data is extremely valuable if it gets into the wrong hands and the need to improve security and prevent breaches has never been higher.
Consequently, performing an annual IT Health Check is a requirement of the Code of Connection (CoCo), a set of conditions that all public sector organisations must meet in order to access the PSN. Failure to comply with the security controls defined in the CoCo may lead to disconnection from the PSN network, impacting the ability to connect with other public sector bodies.
Is an IT Health Check right for you?
The ITHC is designed to provide assurance that your external and internal systems are protected from unauthorized access or change through assessments of protective monitoring controls and remote working devices, as well as others.
You should use this service if:
- You need to meet the requirements set out in the PSN CoCo;
- You are currently connected to the PSN;
- You need to plan this year’s PSN CoCo compliance and submission; or
- You require a remediation action plan to help address any critical or high-risk issues for vulnerabilities that are yet to be addressed.
The benefits of completing an IT Health Check
Our penetration tests will help you to:
- Gain real-world insight into your vulnerabilities.
- Scope your ITHC to conduct a tailored risk assessment.
- Designed to demonstrate to the PSN authority that your network is secure.
- We can recommend appropriate and cost-effective action that is required to address any areas of high risk or noncompliance.
- Connect to other 3rd parties securely.
Our engagement process
Our CREST-accredited penetration testers follow an established methodology based primarily upon the Open Web Application Security Project (OWASP) and Open Source Security Testing Methodology Manual (OSSTMM) security risks. This approach will emulate the techniques of an attacker using many of the same readily available tools.
- Scoping - Before testing, our account management team will discuss your ITHC requirements so that you can fulfil the criteria of this test with the PSN authority.
- Reconnaissance - During this stage we will passively gather publicly available information that could aid the testing process. This covers the enumeration of usernames, email address, vulnerable version and previously compromised credentials.
- Assessment - Using the industry standard methodologies such as OWASP, OSSTMM and configuration guides publicly available by NSCS, each area in scope will be tested to identify vulnerabilities and security weaknesses.
- Reporting - On conclusion of the testing the results will be fully analysed by an IT Governance certified tester and a full report will be prepared for the customer that will set out the scope of the test and the methodology used along with all the risks identified.
- Re-test - We can provide access to our testers and the raw test data to support and expedite remediation. We can also retest your systems so that you can be sure all the identified issues have been successfully resolved.
"I personally find the final report provided by IT Governance to be excellent…. It contains the depth of knowledge I require to accurately and effectively determine our system security improvement plan for the next 12 months."
- Wez Edwards, Senior Systems Architect, S2 Partnership LTD